sandsifter – The x86 Processor Fuzzer

The sandsifter audits x86 processors for hidden instructions and hardware bugs, by systematically generating machine code to search through a processor’s instruction set, and monitoring execution for anomalies.

Your computer is not yours. You may have shelled out thousands of dollars for it. It may be sitting right there on your desk. You may have carved your name deep into its side with a blowtorch and chisel. But it’s still not yours. Some vendors are building secret processor registers into your system’s hardware, only accessible by shadowy third parties with trusted keys. We as the end users are being intentionally locked out and left in the dark, unable to access the heart of our own processors, while select organizations are granted full control of the internals of our CPUs.

Sandsifter has uncovered secret processor instructions from every major vendor; ubiquitous software bugs in disassemblers, assemblers, and emulators; flaws in enterprise hypervisors; and both benign and security-critical hardware bugs in x86 chips.

With the multitude of x86 processors in existence, the goal of the tool is to enable users to check their own systems for hidden instructions and bugs.

To run a basic audit against your processor:

sudo ./sifter.py --unk --dis --len --sync --tick -- -P1 -t

The search will take from a few hours to a few days, depending on the speed of and complexity of your processor. When it is complete, summarize the results:

./summarize.py data/log

Typically, several million undocumented instructions on your processor will be found, but these generally fall into a small number of different groups. After binning the anomalies, the summarize tool attempts to assign each instruction to an issue category:

Software bug (for example, a bug in your hypervisor or disassembler),

Hardware bug (a bug in your CPU), or

Undocumented instruction (an instruction that exists in the processor, but is not acknowledged by the manufacturer)

The results of a scan can sometimes be difficult for the tools to automatically classify, and may require manual analysis.

Results

Scanning with the sandsifter has uncovered undocumented processor features across dozens of opcode categories, flaws in enterprise hypervisors, bugs in nearly every major disassembly and emulation tool, and critical hardware bugs opening security vulnerabilities in the processor itself.

Brute force searching tries instructions incrementally, up to a user-specified length; in almost all situations, it performs worse than random searching.

Driven or mutation driven searching is designed to create new, increasingly complex instructions through genetic algorithms; while promising, this approach was never fully realized, and is left as a stub for future research.

Tunneling is the approach described in the presentation and white paper, and in almost all cases provides the best trade-off between thoroughness and speed.

Additional research data and rosenbridge backdoor presented at defcon 26 can be found here